Japan — Lawful Bases for Processing

Japan's Act on the Protection of Personal Information (APPI, Act No. 57 of 2003, as amended through Act No. 37 of 2021) does not employ the enumerated "lawful bases" structure familiar to GDPR practitioners. Instead, the APPI imposes a purpose-specification and use-limitation regime under Articles 17 and 18, which together form the core framework for permitted processing by businesses handling personal information (個人情報取扱事業者, kojin jōhō toriatsukai jigyōsha, "personal information handling business operators").

Article 17(1): Purpose specification at the point of handling

Article 17(1) APPI requires that "in handling personal information, the business handling personal information must specify as much as possible the purpose for which it uses that information (hereinafter referred to as the 'purpose of use')." This obligation applies at the outset of processing and demands specificity — vague or overly broad statements of purpose do not satisfy the statute. The Personal Information Protection Commission (PPC), Japan's independent supervisory authority established under the APPI, has clarified in its General Rules Guidelines that the purpose must be sufficiently concrete to allow the data subject to reasonably foresee how the information will be handled.

Article 17(2) permits a business to change the purpose of use, but "must not alter it beyond the extent that can be appreciably linked to what it was before the alteration." This constraint on purpose modification is narrower than GDPR's compatibility test; a new purpose must bear a reasonable relationship to the original, as assessed at the time of collection.

Article 18(1): Use limitation — consent required for processing beyond the specified purpose

Article 18(1) APPI establishes the core use-limitation rule: "A business handling personal information must not handle personal information beyond the scope necessary for achieving the purpose of use specified pursuant to the provisions of the preceding Article without obtaining the identifiable person's consent to do so in advance."

This provision operates as a default prohibition with a consent override. If the processing falls within the scope necessary to achieve the originally specified purpose, no separate consent is required; the lawfulness of the processing flows from the initial specification and the data subject's awareness at the point of acquisition (governed by Articles 21 and 27 APPI notification and transparency requirements). If the business wishes to process the personal information for a new or expanded purpose, prior consent of the data subject is mandatory unless an exception under Article 18(2)–(4) applies.

Article 18(2)–(4): Statutory exceptions to the consent requirement

Article 18(2) and (3) enumerate narrow exceptions where processing beyond the specified purpose is permitted without consent, including cases where:

• Handling is required by law or ordinance (item (i));
• Processing is necessary for the protection of life, body, or property of an individual, and obtaining consent is difficult (item (ii));
• Processing is particularly necessary for improving public health or promoting the sound development of children, and obtaining consent is difficult (item (iii));
• Cooperation with a state organ, local government, or person entrusted by either in executing affairs prescribed by law, and obtaining consent would impede the execution of those affairs (item (iv)).

These exceptions are interpreted narrowly by the PPC and track the familiar data-protection concepts of legal obligation, vital interests, and public-interest tasks. Unlike GDPR's legitimate-interests basis (Article 6(1)(f)), the APPI does not provide a general balancing test; businesses must fit within an enumerated exception or obtain consent.

Regulatory supervision and enforcement

The PPC (個人情報保護委員会, kojin jōhō hogo iinkai), established as an Article 3 commission (a body with a high degree of independence under the National Government Organization Act), exercises consolidated supervisory authority over private-sector processing under Chapter IV of the APPI and, since the 2021 amendments consolidating Japan's previously fragmented data-protection framework, over public-sector processing by administrative organs and local governments. The PPC may issue guidance, recommendations, and orders to businesses that violate the purpose-specification or use-limitation obligations, and has imposed administrative fines in cases of serious or repeated non-compliance.

Contrast with GDPR's lawful-bases model

A cross-border compliance professional should note the structural difference: GDPR Article 6(1) requires the controller to identify a lawful basis (consent, contract, legal obligation, vital interests, public task, or legitimate interests) before processing begins, and that basis conditions the entire processing operation. The APPI instead requires the business to specify the purpose at the outset and then limits processing to that purpose unless consent (or a statutory exception) applies. In practical terms, purpose specification under Article 17 often functions similarly to GDPR's "lawful basis," but the statutory text does not label it as such. For multinational data flows, organizations often map APPI purpose-specification compliance to GDPR's Article 6(1)(a) (consent) or 6(1)(b) (performance of contract) depending on the context of collection.

The 2020 amendments to the APPI (effective 2022) introduced additional consent requirements for sensitive personal information (要配慮個人情報, yō hairyo kojin jōhō, Article 2(3) APPI, covering health, criminal history, social-disadvantage status), cross-border transfers to third countries without adequate frameworks (Article 28), and opt-out third-party disclosures (Article 27). These overlay the baseline Articles 17–18 framework and are addressed in separate guide sections.

Source: Act on the Protection of Personal Information, Act No. 57 of 2003 (as amended through Act No. 37 of 2021), Articles 17–18 Source: Personal Information Protection Commission, APPI English translation (June 2020)

The Act on the Protection of Personal Information (APPI, Act No. 57 of 2003, as amended) invokes consent as a central mechanism for lawful processing throughout the statute—Article 18(1) requires "the identifiable person's consent" when a business wishes to process personal information beyond the specified purpose of use; Article 20(2) mandates "the identifiable person's consent in advance" before acquiring sensitive personal information (要配慮個人情報, yō hairyo kojin jōhō); Article 28(1) requires consent before providing personal data to a third party in a foreign country; and Article 31(1) establishes the baseline rule requiring consent before third-party disclosures. Yet the APPI does not define "consent" in statutory text, leaving the standards for valid consent to regulatory guidance issued by the Personal Information Protection Commission (PPC) and sector-specific guidelines.

Absence of a statutory consent definition

Unlike the EU General Data Protection Regulation (GDPR), which defines consent in Article 4(11) as "any freely given, specific, informed and unambiguous indication of the data subject's wishes," the APPI contains no parallel statutory provision. The term 同意 (dōi, "consent") appears in multiple operative articles but is treated as a concept understood within the broader Japanese legal framework governing contractual and administrative acts. The PPC's General Rules Guidelines (通則ガイドライン, sōsoku gaidorain) and sector-specific guidance—particularly the Guidelines for the Protection of Personal Information in the Financial Sector issued by the Financial Services Agency in coordination with the PPC—fill this gap by articulating the requirements for valid consent.

PPC General Rules Guidelines: voluntary, specific, and informed

The PPC's General Rules Guidelines establish that valid consent under the APPI must be voluntary (data subjects must not be coerced or misled), specific (the data subject must understand what processing activity they are consenting to), and informed (the business must provide sufficient information about the purpose of use, the data to be processed, and, where applicable, the identity of third-party recipients). While the PPC has not published a single comprehensive definition mirroring GDPR Article 4(11), the guidelines interpret the statutory obligations in Articles 18, 20, and 28 as requiring that consent be obtained through a process that allows the data subject to make a meaningful choice based on clear information.

Consent obtained through misleading statements, bundled as a condition of an unrelated contract without clear disaggregation, or secured through pre-checked boxes is generally not recognized as valid under PPC enforcement practice. The PPC has emphasized that businesses must present consent requests in a manner that allows the data subject to understand what they are agreeing to—vague or overly broad consent requests (e.g., "I consent to the use of my data for all purposes") fail the specificity requirement.

Form of consent: written form preferred in the financial sector; no blanket requirement elsewhere

The APPI does not mandate a specific form for consent across all sectors. Unlike some data-protection regimes that prescribe written consent or electronic signatures, the baseline APPI framework permits consent to be obtained orally, in writing, or through affirmative electronic actions (such as clicking a button labeled "I agree"), provided the method employed allows the business to demonstrate that consent was actually obtained.

However, sector-specific guidelines impose stricter form requirements. The Guidelines for the Protection of Personal Information in the Financial Sector specify that businesses handling personal information in the financial sector "shall, in principle, obtain consent in writing (including electronic or magnetic records)" when seeking consent under Articles 18, 27, and 28 of the APPI. The financial-sector guidelines further recommend that when businesses use pre-prepared consent forms, terms concerning the handling of personal information should be displayed in a manner "clearly distinguishable from other terms by such means as using larger fonts or different expressions," and that businesses should employ mechanisms such as check boxes to ensure the data subject's intent is clearly expressed.

Outside the financial sector, businesses often obtain consent through website click-through mechanisms, mobile-application permission prompts, or paper forms. The critical question is demonstrability: the business must be able to produce evidence that the data subject consented to the specific processing activity. Best practice includes maintaining records of when and how consent was obtained, the information provided to the data subject at the time, and the specific wording presented.

Consent for sensitive personal information: Article 20(2) APPI

Article 20(2) APPI establishes an advance consent requirement for the acquisition of sensitive personal information, defined in Article 2(3) as personal information that includes descriptions relating to race, creed, social status, medical history, criminal record, or the fact of having been a victim of crime, or other information specified by Cabinet Order as requiring special care to avoid unjust discrimination, prejudice, or other disadvantage. The enumeration in the Cabinet Order and PPC rules covers a range of categories similar to GDPR Article 9 "special categories," including:

• Information relating to health (medical and dental records, prescription history, genetic information, disability status);
• Information relating to criminal history or victimization;
• Information relating to social disadvantage or discrimination (nationality, immigration status, receipt of social assistance, union membership, political opinion, religious belief, sexual orientation).

Businesses must obtain the data subject's prior consent before acquiring such information, except in six narrow statutory exceptions enumerated in Article 20(2) items (i) through (vi)—cases based on laws and regulations; cases necessary to protect life, body, or property when obtaining consent is difficult; cases necessary for public health or child development when obtaining consent is difficult; cases of cooperation with a government organ or local authority when obtaining consent would impede the performance of statutory duties; cases where the business is an academic research institution and the processing is for academic research purposes (subject to a balancing test that the processing does not unduly harm the data subject's rights); and cases where the sensitive information has already been made public by the data subject or a government organ.

The PPC has clarified in enforcement practice that the consent requirement under Article 20(2) is independent and cumulative—if a business wishes to acquire sensitive personal information and then use it for a purpose beyond what was initially specified, the business must obtain (a) prior consent under Article 20(2) for the acquisition and (b) separate consent under Article 18(1) for the expanded use. The two consent obligations do not merge; the business must satisfy both.

Consent for cross-border transfers: Article 28 APPI enhanced disclosure obligation

Article 28(1) APPI prohibits businesses from providing personal data to a third party in a foreign country without obtaining "the identifiable person's consent to the effect that he or she approves the provision to a third party in a foreign country" unless one of three conditions is met: (i) the third country is designated by the PPC as having an adequate framework (currently, the European Union member states under the EU–Japan adequacy framework and the United Kingdom); (ii) the foreign recipient has established a system conforming to PPC-prescribed standards (such as APEC Cross-Border Privacy Rules certification or contractual arrangements mirroring the APPI's substantive requirements); or (iii) an Article 28(1) statutory exception applies (legal obligation, vital interests, public interest, or cooperation with government organs).

When a business relies on consent under Article 28(1), Article 28(2) imposes an enhanced disclosure obligation: before obtaining consent, the business must provide the data subject with "information on the personal information protection system of the foreign country, on the measures the third party takes for the protection of personal information, and other information that is to serve as a reference to the principal, pursuant to rules of the Personal Information Protection Commission." PPC Rule No. 11-2 elaborates that this obligation includes disclosing:

• The name of the foreign country (or countries) to which the data will be transferred;
• A description of the legal framework governing personal-data protection in that country and the practical operation of that framework (e.g., whether the foreign country has an independent supervisory authority, whether data subjects have enforceable rights, whether the legal framework permits government access to personal data);
• The specific measures the foreign recipient has implemented to protect the personal data (contractual commitments, security controls, internal policies).

This enhanced-disclosure requirement functions as a heightened standard for consent validity in the cross-border context. A generic consent statement ("I consent to the transfer of my data abroad") that does not include the Article 28(2) disclosures is not valid under PPC enforcement posture. The business must demonstrate that it provided the required information and that the data subject consented with knowledge of the foreign destination and the protections in place.

Withdrawal of consent and the APPI's silence on revocation

The APPI does not contain a statutory provision expressly guaranteeing the data subject's right to withdraw consent at any time, in contrast to GDPR Article 7(3), which states "it shall be as easy to withdraw as to give consent." However, the PPC's General Rules Guidelines recognize that data subjects retain the ability to request cessation of use under Article 35 APPI when the business is processing personal data in violation of the APPI (including processing that continues after the data subject has indicated they no longer consent). The practical effect is that while the APPI does not label consent withdrawal as a standalone right, data subjects can invoke Article 35 to compel the business to stop processing when the original consent no longer stands.

Businesses that obtain consent should therefore implement processes allowing data subjects to withdraw consent and should treat withdrawal as triggering an Article 35 compliance obligation to cease the processing unless an alternative statutory justification (legal obligation, vital interests, public interest, or cooperation with a government authority) applies.

Comparison to GDPR: structural and doctrinal differences

A privacy professional familiar with GDPR will note three key divergences in the APPI consent framework:

1. No standalone consent definition. GDPR Article 4(11) provides a comprehensive statutory definition; the APPI relies on PPC guidelines and enforcement practice.
2. Form flexibility outside regulated sectors. GDPR does not mandate written consent but requires controllers to demonstrate valid consent; the APPI permits oral or electronic consent except in sectors (finance, health) where written consent is prescribed by sectoral guidelines.
3. Enhanced disclosure for cross-border transfers as a consent-validity condition. GDPR Chapter V cross-border transfer mechanisms (adequacy, SCCs, BCRs) do not impose additional disclosure obligations as a condition of consent validity; the APPI Article 28(2) disclosure requirement is a separate, cumulative obligation specific to cross-border consent.

For multinational organizations mapping APPI compliance to GDPR frameworks, the safest approach is to treat APPI consent as requiring free, specific, informed, and unambiguous indication, apply the stricter financial-sector form requirements as best practice across all sectors, and ensure that cross-border-transfer consents include the Article 28(2) disclosures.

Source: Act on the Protection of Personal Information, Act No. 57 of 2003 (as amended), Articles 18, 20, 28, 31, and 35 Source: Personal Information Protection Commission, APPI English translation (June 2020) Source: Guidelines for the Protection of Personal Information in the Financial Sector

The Act on the Protection of Personal Information (APPI) establishes a general prohibition on third-party disclosures of personal data without the data subject's prior consent under Article 27(1), but carves out four narrow statutory exceptions that permit businesses to disclose personal data to third parties without consent when competing public-interest considerations outweigh the individual's autonomy interest. These exceptions mirror the Article 18(2)–(4) framework governing processing beyond the specified purpose (covered in the purpose-specification guide section), but apply specifically to the distinct obligation not to provide personal data to a third party (第三者提供, daisan-sha teikyō) under Article 27.

Article 27(1): The baseline consent requirement

Article 27(1) APPI provides: "Businesses handling personal information must not provide personal data to a third party without obtaining the identifiable person's consent in advance, except cases set forth below."

The term "personal data" (個人データ, kojin dēta) is defined in Article 16(3) APPI as personal information that constitutes a personal-information database or equivalent, meaning information that has been systematically organized for retrieval by computer or manual search. The Article 27 consent requirement applies only to personal data—not to personal information generally—to avoid unduly constraining everyday oral communications or one-off transfers of information that have not been incorporated into a structured database.

The baseline rule is strict: absent consent or a statutory exception, providing personal data to a third party is prohibited, and the Personal Information Protection Commission (PPC) may issue guidance, recommendations, or orders to businesses that violate this obligation, with administrative fines and criminal exposure in cases of serious or repeated non-compliance.

Exception (i): Cases based on laws and regulations (法令に基づく場合, hōrei ni motozuku baai)

Article 27(1) item (i) permits third-party disclosure "when based on laws and regulations." This exception is narrow and formal: the business must identify a specific statutory provision (Act of the Diet, Cabinet Order, or ministerial ordinance) that requires or expressly authorizes the disclosure. The PPC's General Rules Guidelines clarify that "laws and regulations" means Japanese laws and regulations—a foreign legal requirement (e.g., a U.S. e-discovery order or an EU supervisory-authority information request under GDPR Article 58) does not qualify under this exception unless separately authorized by a Japanese statute or treaty implementing obligation.

Common invocations of the legal-obligation exception include:

• Tax reporting obligations under the National Tax Act (disclosure of customer transaction records to the National Tax Agency);
• Financial-crime reporting under the Act on Prevention of Transfer of Criminal Proceeds (disclosure of suspicious-transaction reports to the Japan Financial Intelligence Center);
• Court-ordered production in Japanese litigation proceedings under the Code of Civil Procedure;
• Statutory reporting of workplace injuries to the Ministry of Health, Labour and Welfare under the Industrial Safety and Health Act.

The business bears the burden of demonstrating that the disclosure is "based on" the cited legal provision. The PPC has emphasized that this exception does not cover disclosures that are merely permitted by contract or internal policy; the legal authority must be a binding statutory obligation or an express statutory authorization (e.g., a provision stating "the Minister may require businesses to submit reports").

Exception (ii): Protection of life, body, or property when obtaining consent is difficult (人の生命、身体又は財産の保護のために必要がある場合であって、本人の同意を得ることが困難であるとき, hito no seimei, shintai mata wa zaisan no hogo no tame ni hitsuyō ga aru baai de atte, honnin no dōi o eru koto ga konnan de aru toki)

Article 27(1) item (ii) permits third-party disclosure "when there is a need to protect the life, body, or property of an individual, and it is difficult to obtain the consent of the identifiable person."

This exception incorporates a two-prong test:

1. Necessity for protection. The disclosure must be objectively necessary to protect life, bodily safety, or property from imminent or serious harm. The PPC's General Rules Guidelines state that "life, body, or property" includes both the data subject's own interests and those of third parties, and that "an individual" (人, hito) encompasses both natural persons and legal persons (corporations or other entities). The harm threshold is contextual but must be material: routine commercial interests (e.g., "we need to share customer data with our fraud-prevention vendor to protect our business property") typically do not satisfy the test unless the threat is concrete and significant.

1. Difficulty of obtaining consent. The business must demonstrate that obtaining the data subject's prior consent is impracticable given the circumstances. The PPC has clarified that "difficult" does not mean merely inconvenient or costly; the standard is met when (a) the data subject is unconscious, missing, or otherwise unreachable; (b) the urgency of the situation precludes the delay required to seek consent (e.g., emergency medical disclosure to first responders); or (c) seeking consent would itself create a risk to the protected interest (e.g., disclosing a domestic-violence victim's location to a shelter operator when contacting the victim would alert the abuser).

Common fact patterns under the vital-interests exception include:

• Disclosure of a patient's medical history to emergency-room physicians when the patient is unconscious and no family member is available to consent;
• Sharing customer account information with law enforcement to prevent imminent financial fraud or physical harm (e.g., a credible threat to commit violence);
• Providing employee personal data to disaster-relief authorities in the immediate aftermath of an earthquake or tsunami when employees cannot be contacted.

The PPC has emphasized that businesses invoking this exception must document the factual basis for the necessity finding and the difficulty-of-consent determination, and should seek consent retroactively once the emergency has passed and the data subject is reachable.

Exception (iii): Public health or sound development of children when obtaining consent is difficult (公衆衛生の向上又は児童の健全な育成の推進のために特に必要がある場合であって、本人の同意を得ることが困難であるとき, kōshū eisei no kōjō mata wa jidō no kenzen na ikusei no suishin no tame ni toku ni hitsuyō ga aru baai de atte, honnin no dōi o eru koto ga konnan de aru toki)

Article 27(1) item (iii) permits third-party disclosure "when there is a particular need for improving public health or promoting the sound development of children, and it is difficult to obtain the consent of the identifiable person."

This exception likewise employs a two-prong test:

1. Particular necessity for public health or child welfare. The disclosure must serve a recognized public-interest objective in the fields of epidemiology, communicable-disease control, child protection, or child-development policy. The PPC's General Rules Guidelines cite as examples:

• Reporting confirmed or suspected cases of infectious disease to public-health authorities under the Infectious Diseases Control Act (Act No. 114 of 1998);
• Disclosing medical examination or vaccination records to prefectural health departments for epidemiological surveillance;
• Providing personal data on children at risk of abuse or neglect to child-welfare centers (児童相談所, jidō sōdanjo) or to the Ministry of Health, Labour and Welfare under the Child Welfare Act (Act No. 164 of 1947);
• Sharing school attendance and health records with municipal authorities to facilitate early-intervention programs for children with developmental challenges.

The "particular need" standard is stricter than mere utility: the disclosure must be objectively necessary to achieve the stated public-health or child-welfare goal, and the business must be able to articulate why the disclosure serves that goal more effectively than alternative measures.

1. Difficulty of obtaining consent. As with exception (ii), the business must show that obtaining prior consent is impracticable. In the public-health context, this prong is often satisfied when the data subject is a minor unable to provide legally effective consent (and the parent or guardian is unavailable or is the source of the risk, as in suspected child-abuse cases), or when a communicable-disease outbreak requires immediate reporting and individualized consent-seeking would delay critical public-health interventions.

The PPC has clarified that this exception does not permit businesses to share personal data with private-sector health insurers, pharmaceutical companies, or academic researchers solely because the recipient claims a research interest in public health or child development. The recipient must be a public authority or an entity acting under statutory authorization to perform a public-health or child-welfare function, and the disclosure must be necessary to that function.

Exception (iv): Cooperation with government organs or local authorities when consent would impede statutory duties (国の機関若しくは地方公共団体又はその委託を受けた者が法令の定める事務を遂行することに対して協力する必要がある場合であって、本人の同意を得ることにより当該事務の遂行に支障を及ぼすおそれがあるとき, kuni no kikan moshiku wa chihō kōkyō dantai mata wa sono itaku o uketa mono ga hōrei no sadameru jimu o suikō suru koto ni taishite kyōryoku suru hitsuyō ga aru baai de atte, honnin no dōi o eru koto ni yori tōgai jimu no suikō ni shōgai o oyobosu osore ga aru toki)

Article 27(1) item (iv) permits third-party disclosure "when there is a need to cooperate with a state organ, local government, or person entrusted by either in executing affairs prescribed by laws and regulations, and obtaining the consent of the identifiable person would impede the execution of those affairs."

This exception recognizes that certain governmental functions—tax administration, criminal investigation, national-security intelligence, statistical surveys, regulatory inspections—would be undermined if the target of the inquiry could block disclosure by withholding consent. It incorporates a three-element test:

1. The recipient is a government organ, local authority, or authorized delegate. "State organ" (国の機関, kuni no kikan) includes ministries, agencies, and independent administrative agencies of the national government. "Local government" (地方公共団体, chihō kōkyō dantai) includes prefectures, designated cities, municipalities, and special wards. "Person entrusted" (委託を受けた者, itaku o uketa mono) includes private contractors performing governmental functions under statutory delegation (e.g., a private firm operating a correctional facility under contract with the Ministry of Justice, or a census enumerator engaged by the Ministry of Internal Affairs and Communications under the Statistics Act).

1. The disclosure is necessary to cooperate with a statutory duty. The governmental entity must be executing "affairs prescribed by laws and regulations" (法令の定める事務, hōrei no sadameru jimu)—a duty imposed by statute, Cabinet Order, or ministerial ordinance. Voluntary information-sharing with government agencies that lack statutory authority to compel the disclosure does not qualify. The business must identify the specific legal provision that establishes the governmental duty and explain how the disclosure furthers that duty.

1. Obtaining consent would impede the execution of the duty. The PPC's General Rules Guidelines clarify that "impede" (支障を及ぼす, shōgai o oyobosu) means more than inconvenience: the consent requirement must pose a material risk that the governmental function would fail or be significantly delayed. Classic examples include:

• Tax investigations under the National Tax Act, where notifying the taxpayer that the business is disclosing transaction records to the National Tax Agency would allow the taxpayer to conceal assets or destroy evidence;
• Criminal investigations under the Code of Criminal Procedure, where obtaining the suspect's consent before disclosing personal data to police would alert the suspect and permit flight or evidence tampering;
• National-security intelligence activities, where seeking consent would reveal the fact of the investigation and compromise operational security;
• Statistical surveys under the Statistics Act, where requiring individualized consent would introduce selection bias and undermine the representativeness of the survey sample.

The PPC has emphasized that businesses invoking this exception should document the governmental entity's request, the statutory basis for the entity's authority, and the factual basis for the impediment finding. When feasible, businesses should seek written confirmation from the requesting authority that obtaining consent would impede the execution of its statutory duties.

Interplay with the opt-out mechanism (Article 27(2)) and outsourcing, succession, and joint-use exceptions

Article 27(2)–(4) APPI establish an opt-out mechanism that permits third-party disclosures without prior affirmative consent if the business has publicly disclosed the categories of data to be disclosed, the means of disclosure, and the fact that the data subject may request cessation, and has notified the PPC. This opt-out mechanism is separate from the four statutory exceptions analyzed above and is subject to significant restrictions: it may not be used for sensitive personal information (Article 27(2) proviso), and the financial-sector guidelines prohibit its use for any personal data handled by financial institutions.

Articles 27(5) items (i)–(iii) carve out three structural exceptions that are not true "third-party" disclosures:

• Outsourcing (委託, itaku): providing personal data to a contractor for the purpose of achieving the originally specified purpose of use (e.g., engaging a cloud-storage provider or a payroll processor);
• Business succession (事業承継, jigyō shōkei): transferring personal data in connection with a merger, acquisition, or other succession to the business;
• Joint use (共同利用, kyōdō riyō): sharing personal data among multiple entities that have publicly disclosed the scope of shared data, the entities participating, and the responsible party.

These are treated as internal processing rather than third-party disclosures and do not require consent, but they impose separate disclosure, supervision, and notification obligations.

Contrast with GDPR Article 6(1) lawful bases

A practitioner familiar with GDPR will note that the APPI's Article 27 exception framework is narrower and more rigid than GDPR's six lawful bases. GDPR Article 6(1)(f) permits processing (including disclosure) "necessary for the purposes of the legitimate interests pursued by the controller or by a third party" subject to a balancing test against the data subject's rights—a flexible standard that has no direct APPI analogue. The APPI does not provide a general legitimate-interests basis; businesses must fit within one of the four enumerated exceptions (legal obligation, vital interests, public health/child welfare, cooperation with government) or obtain consent. The APPI's vital-interests exception (Article 27(1) item (ii)) is likewise narrower than GDPR Article 6(1)(d): it requires both necessity and difficulty of obtaining consent, whereas GDPR's vital-interests basis requires only that "processing is necessary in order to protect the vital interests of the data subject or of another natural person."

For multinational compliance programs, the safest approach is to treat the APPI exceptions as strictly construed, document the factual and legal basis for each invocation, and obtain consent whenever the applicability of an exception is uncertain.

Source: Act on the Protection of Personal Information, Act No. 57 of 2003 (as amended through Act No. 37 of 2021), Article 27 Source: Personal Information Protection Commission, APPI English translation (June 2020)

The Act on the Protection of Personal Information (APPI) distinguishes sensitive personal information (要配慮個人情報, yō hairyo kojin jōhō) as a category of personal information requiring heightened procedural protections. Article 2(3) APPI establishes the statutory definition, Cabinet Order Article 2 enumerates the protected categories, and Article 20(2) APPI imposes a mandatory prior-consent requirement for the acquisition of sensitive personal information by businesses handling personal information (個人情報取扱事業者, kojin jōhō toriatsukai jigyōsha), subject to six narrow statutory exceptions.

This framework is Japan's analogue to the GDPR Article 9 "special categories of personal data" regime, but with a critical structural difference: the APPI consent requirement applies only to acquisition, not to subsequent use or third-party disclosure, which remain governed by the baseline Articles 18 (use limitation) and 27 (third-party provision).

Article 2(3) APPI: Statutory definition

Article 2(3) APPI defines sensitive personal information as "personal information that includes a description, etc. relating to the race, creed, social status, medical history, criminal record, fact of damage by a crime, or other description, etc. prescribed by Cabinet Order as requiring special care in handling so as to avoid unjust discrimination, prejudice or other disadvantage to an individual."

The statute identifies six express categories (race, creed, social status, medical history, criminal record, victimization by crime) and delegates to the Cabinet the authority to enumerate additional categories. The legislative rationale is to prevent unjust discrimination based on attributes that do not bear a legitimate relationship to employment, insurance underwriting, credit, housing, or public-service decisions.

Cabinet Order Article 2: Enumerated categories

Cabinet Order to Enforce the APPI, Article 2, provides that "descriptions etc. prescribed by cabinet order under Article 2, paragraph (3) of the Act shall be those descriptions etc. which contain any of those matters set forth in the following (excluding those falling under a principal's medical record or criminal history)." The Cabinet Order enumerates additional protected categories:

1. Physical, intellectual, or mental disability — "a physical disability, intellectual disability, mental disability (including developmental disability), or other impairment of mind or body function prescribed by rules of the Personal Information Protection Commission" (Cabinet Order Article 2, item (i))
2. Medical and health information — the fact that a person "has received medical care, guidance relating to public health, or other medical services" or that a person has been examined and the results thereof, excluding information that falls under "medical history" already enumerated in Article 2(3) (Cabinet Order Article 2, item (ii))
3. Criminal procedures — the fact that a person has been arrested, a search has been conducted, the person has been subject to a warrant, has been indicted, or has been subject to other criminal-procedure measures, or that the person has been subject to a summary order for payment of a fine or petty fine under the Code of Criminal Procedure (Cabinet Order Article 2, item (iii))
4. Juvenile-protection procedures — the fact that a juvenile has been subject to investigation, observation and protection measures, hearings, protective measures, or other procedures under the Juvenile Act (Cabinet Order Article 2, item (v))

The Cabinet Order explicitly excludes from the definition descriptions that fall under the principal's medical record or criminal history as defined in Article 2(3), to avoid double-counting those statutory categories.

Article 20(2) APPI: Prior-consent requirement for acquisition

Article 20(2) APPI provides: "A business handling personal information must not acquire sensitive personal information without obtaining the identifiable person's prior consent, except in the cases set forth below."

This is a prohibition with enumerated exceptions. The consent requirement attaches at the point of acquisition — the moment the business first obtains the sensitive personal information. The statute does not require a separate consent for use or third-party disclosure of sensitive personal information already lawfully acquired; those processing activities remain subject to the baseline Article 18 use-limitation (consent required for use beyond the specified purpose) and Article 27 third-party-disclosure frameworks (consent required unless an exception applies), but do not trigger an additional consent obligation solely because the information is sensitive.

Article 20(2) items (i)–(vi): Six statutory exceptions to the prior-consent requirement

Article 20(2) enumerates six narrow exceptions permitting acquisition of sensitive personal information without prior consent:

(i) Cases based on laws and regulations (法令に基づく場合, hōrei ni motozuku baai)

Acquisition is permitted when "based on laws and regulations." The business must identify a specific statute, Cabinet Order, or ministerial ordinance that requires or expressly authorizes the acquisition. This exception mirrors the Article 18(3) item (i) (use beyond purpose) and Article 27(1) item (i) (third-party disclosure) legal-obligation exceptions. The APPI does not define which foreign legal requirements, if any, qualify under this exception.

(ii) Protection of life, body, or property when obtaining consent is difficult (人の生命、身体又は財産の保護のために必要がある場合であって、本人の同意を得ることが困難であるとき, hito no seimei, shintai mata wa zaisan no hogo no tame ni hitsuyō ga aru baai de atte, honnin no dōi o eru koto ga konnan de aru toki)

Acquisition is permitted when (a) there is a need to protect the life, body, or property of an individual, and (b) it is difficult to obtain the consent of the identifiable person. This two-prong test tracks the Article 18(3) item (ii) and Article 27(1) item (ii) vital-interests exceptions. The statute does not further define "difficult to obtain consent," leaving the standard to regulatory guidance and enforcement practice.

(iii) Public health or sound development of children when obtaining consent is difficult (公衆衛生の向上又は児童の健全な育成の推進のために特に必要がある場合であって、本人の同意を得ることが困難であるとき, kōshū eisei no kōjō mata wa jidō no kenzen na ikusei no suishin no tame ni toku ni hitsuyō ga aru baai de atte, honnin no dōi o eru koto ga konnan de aru toki)

Acquisition is permitted when (a) there is a particular need for improving public health or promoting the sound development of children, and (b) it is difficult to obtain the consent of the identifiable person. The statute does not enumerate the types of processing or entities that qualify, but the "particular need" language imposes a higher threshold than item (ii)'s "need" standard.

(iv) Cooperation with government organs or local authorities when obtaining consent would impede statutory duties (国の機関若しくは地方公共団体又はその委託を受けた者が法令の定める事務を遂行することに対して協力する必要がある場合であって、本人の同意を得ることにより当該事務の遂行に支障を及ぼすおそれがあるとき, kuni no kikan moshiku wa chihō kōkyō dantai mata wa sono itaku o uketa mono ga hōrei no sadameru jimu o suikō suru koto ni taishite kyōryoku suru hitsuyō ga aru baai de atte, honnin no dōi o eru koto ni yori tōgai jimu no suikō ni shōgai o oyobosu osore ga aru toki)

Acquisition is permitted when (a) there is a need to cooperate with a state organ, local government, or person entrusted by either in executing affairs prescribed by laws and regulations, and (b) obtaining the consent of the identifiable person would impede the execution of those affairs. This three-element test mirrors Article 27(1) item (iv) (third-party disclosure to government). The statute requires that the impediment be an "obstruction" (支障, shōgai) to execution, not mere inconvenience.

(v) Academic research institutions acquiring for academic research purposes (当該個人情報取扱事業者が学術研究機関等である場合であって、当該個人情報を学術研究の用に供する目的で取得する必要があるとき, tōgai kojin jōhō toriatsukai jigyōsha ga gakujutsu kenkyū kikan-tō de aru baai de atte, tōgai kojin jōhō o gakujutsu kenkyū no yō ni kyō suru mokuteki de shutoku suru hitsuyō ga aru toki)

Acquisition is permitted when the business is an "academic research institution, etc." (学術研究機関等, gakujutsu kenkyū kikan-tō) and the acquisition is necessary for academic research purposes. Article 18(3) item (vi) cross-references this term, defining it as universities, university-affiliated research institutes, and other institutions whose primary purpose is academic research as recognized by the Personal Information Protection Commission. The 2020 amendments added a proviso requiring that the acquisition be "within the scope of legitimate academic research objectives" and that the business implement safeguards to prevent unjust discrimination or harm to data subjects, but the statute does not enumerate those safeguards.

(vi) Sensitive personal information made public by the data subject, government, or designated entities (本人、国の機関、地方公共団体、学術研究機関等、第五十七条第一項各号に掲げる者その他個人情報保護委員会規則で定める者により公開されている場合, honnin, kuni no kikan, chihō kōkyō dantai, gakujutsu kenkyū kikan-tō, dai-gojūnana-jō dai-ikki-kō ni kakageru mono sono ta kojin jōhō hogo iinkai kisoku de sadameru mono ni yori kōkai sarete iru baai)

Acquisition is permitted when the sensitive personal information has been made public by (a) the data subject, (b) a state organ, (c) a local government, (d) an academic research institution, (e) a person listed in Article 57(1) (certified personal information protection organizations), or (f) other persons prescribed by Personal Information Protection Commission Rules. The statute does not define "made public" (公開, kōkai); whether posting on a password-protected website, disclosure in a limited-access setting, or publication in a professional journal qualifies is not addressed in the statutory text.

Cumulative consent obligations: Article 20(2) acquisition + Article 18(1) use

A critical compliance point: the Article 20(2) prior-consent requirement for acquisition of sensitive personal information is independent and cumulative with the Article 18(1) consent requirement for use beyond the specified purpose. If a business wishes to (a) acquire sensitive personal information and (b) use it for a purpose not specified at the point of acquisition, the business must obtain both consents. The APPI does not provide a mechanism to merge the two consent obligations, though best practice is to disclose both the acquisition and the intended use at the point of acquisition and obtain a single consent statement that clearly covers both statutory requirements.

Contrast with GDPR Article 9

A cross-border compliance professional should note two key structural differences between the APPI sensitive-personal-information regime and GDPR Article 9:

1. Consent applies only to acquisition, not to all processing. GDPR Article 9(2)(a) permits processing of special-category data based on explicit consent, and that consent conditions all processing (collection, use, disclosure, storage). The APPI Article 20(2) consent requirement applies only to acquisition; subsequent use and third-party disclosure are governed by the baseline Articles 18 and 27, which permit processing within the originally specified purpose without separate consent.

1. No general legitimate-interests or substantial-public-interest exception. GDPR Article 9(2) enumerates ten lawful-processing conditions, including substantial-public-interest processing under Article 9(2)(g). The APPI Article 20(2) exceptions are six and exhaustive; there is no general balancing test analogous to GDPR Article 6(1)(f) legitimate interests or Article 9(2)(g) substantial public interest.

For multinational organizations mapping APPI compliance to GDPR frameworks, the safest approach is to treat APPI Article 20(2) sensitive personal information as requiring prior consent at acquisition, apply the six statutory exceptions narrowly, and obtain separate Article 18(1) consent for any use beyond the initially specified purpose.

Source: Act on the Protection of Personal Information, Act No. 57 of 2003 (as amended through Act No. 37 of 2021), Articles 2(3) and 20 Source: Cabinet Order to Enforce the Act on the Protection of Personal Information, Article 2 Source: Personal Information Protection Commission, APPI English translation (June 2020)

A privacy professional familiar with the EU General Data Protection Regulation (GDPR) will expect to find a contract-necessity lawful basis analogous to GDPR Article 6(1)(b), which permits processing when "necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract." The Act on the Protection of Personal Information (APPI, Act No. 57 of 2003, as amended) does not provide such a standalone lawful basis. The APPI does not employ the enumerated-lawful-bases framework at all; instead, it requires businesses to specify the purpose of use under Article 17 and then permits processing within the scope necessary for achieving that purpose under Article 18, with consent required only when processing exceeds that scope.

For cross-border compliance professionals mapping GDPR Article 6(1)(b) "contract necessity" onto the APPI, the practical answer is that processing necessary to perform a contract with the data subject is lawful under the APPI when the business specifies that contractual purpose at the point of acquisition (Article 17) and processes the personal information within the scope necessary to achieve that contractual purpose (Article 18(1)). The APPI does not require the business to obtain separate consent for processing that stays within the originally specified contractual purpose; consent under Article 18(1) is required only when the business wishes to process the personal information for a new or expanded purpose that cannot be appreciably linked to the original contractual purpose under Article 17(2).

Article 17(1): Purpose specification as the foundational obligation

Article 17(1) APPI provides: "In handling personal information, the business handling personal information must specify as much as possible the purpose for which it uses that information (hereinafter referred to as the 'purpose of use')." This obligation applies at the outset of processing—typically at the point of acquisition—and demands specificity. Vague statements of purpose ("we will use your personal information for business purposes") do not satisfy the statute. The Personal Information Protection Commission (PPC) has clarified in its General Rules Guidelines that the purpose must be sufficiently concrete to allow the data subject to reasonably foresee how the information will be handled.

When a business enters into a contract with a data subject—an employment agreement, a customer sales contract, a service-delivery contract, a vendor or supplier agreement—the contract itself, or the context surrounding the contract formation, typically satisfies the Article 17(1) purpose-specification requirement. The business specifies that it is collecting and using the data subject's personal information for the purpose of performing the contract: to process payroll and administer benefits (employment contract), to fulfill product orders and provide customer support (sales contract), to deliver professional services (consulting or advisory contract), to manage vendor payments and compliance (procurement contract).

The PPC does not require the business to state the purpose in terms of "contract performance" or "contract necessity" using those specific labels. The statute requires that the business specify the purpose concretely—and a statement tied to the contract's subject matter is concrete. For example:

• Employment context: "We collect and use your personal information (name, address, date of birth, bank-account details, family composition, résumé, employment history) for the purposes of managing your employment relationship, including processing payroll, administering statutory and voluntary benefits, complying with labor and tax reporting obligations, and facilitating internal human-resources administration."

• Customer context: "We collect and use your personal information (name, shipping address, email address, telephone number, payment information, purchase history) for the purposes of fulfilling your product orders, processing payments, providing customer support, and managing returns and warranty claims."

• Vendor/supplier context: "We collect and use your personal information (company name, contact person name and email, tax identification number, bank-account details, contract performance records) for the purposes of managing our contractual relationship, including processing purchase orders, making payments, ensuring contract compliance, and conducting vendor evaluations."

Each of these purpose statements is specific (it describes the processing activities concretely), foreseeable (the data subject can anticipate the processing), and contractually grounded (the processing serves the performance of the contract). Under the APPI, once the business has specified this purpose and notified or disclosed it to the data subject in accordance with Articles 21 (notification at acquisition) or 27(2) (opt-out third-party disclosure), the business may process the personal information within the scope necessary to achieve that purpose without obtaining separate consent.

Article 18(1): Use limitation—consent required only for processing beyond the specified purpose

Article 18(1) APPI establishes the core use-limitation rule: "A business handling personal information must not handle personal information beyond the scope necessary for achieving the purpose of use specified pursuant to the provisions of the preceding Article without obtaining the identifiable person's consent to do so in advance."

The statute operates as a default prohibition with a consent override: if the processing falls within the scope necessary to achieve the originally specified purpose, no separate consent is required; if the business wishes to process the personal information for a new or expanded purpose, prior consent of the data subject is mandatory unless an exception under Article 18(2)–(4) applies (legal obligation, vital interests, public health or child welfare, cooperation with government authorities).

The critical phrase is "within the scope necessary for achieving the purpose of use" (利用目的の達成に必要な範囲, riyō mokuteki no tassei ni hitsuyō na han'i). The PPC's General Rules Guidelines interpret "necessary" (必要, hitsuyō) not as "strictly indispensable" but as reasonably required to achieve the stated purpose. This is a functional necessity test: the processing must serve the purpose the business specified and must not be excessive in relation to that purpose, but the business retains operational discretion in how it achieves the contractual objective.

For example, if a business specified the purpose as "fulfilling your product orders, processing payments, and providing customer support," the following processing activities fall within the necessary scope and do not require separate consent:

• Storing the customer's shipping address in an order-management system to generate shipping labels and track delivery;
• Sharing the customer's payment information with a payment processor (a third-party service provider engaged under a contract to process credit-card transactions on the business's behalf);
• Retaining the customer's purchase history to respond to warranty claims or product-recall notifications;
• Using the customer's email address to send order-confirmation messages and delivery-status updates.

By contrast, the following processing activities fall beyond the necessary scope of the originally specified purpose and require consent under Article 18(1) (or must be covered by a separate purpose specification at the point of acquisition):

• Using the customer's purchase history to generate personalized marketing recommendations for unrelated products (this is a new purpose: direct marketing, not order fulfillment);
• Sharing the customer's contact information with an affiliate company for cross-selling (this is a third-party disclosure beyond what is necessary for the original contractual purpose and also triggers the Article 27(1) third-party-consent requirement);
• Retaining the customer's personal information indefinitely after the contract has terminated and all warranty periods have expired, without a legitimate business justification tied to the original purpose (this violates the proportionality dimension of "necessary scope").

The PPC has emphasized in enforcement practice that businesses must conduct a purpose-limitation analysis when designing processing operations: for each processing activity, the business must ask whether the activity serves the specified purpose and whether it is proportionate to that purpose. If the answer to either question is no, the business must either (a) obtain consent under Article 18(1), (b) rely on a statutory exception under Article 18(2)–(4), or (c) refrain from the processing.

Article 17(2): Purpose modification—the "appreciable link" constraint

Article 17(2) APPI permits a business to change the purpose of use, but "must not alter it beyond the extent that can be appreciably linked to what it was before the alteration" (変更前の利用目的と関連性を有すると合理的に認められる範囲を超えて行ってはならない, henkō mae no riyō mokuteki to kanrensei o yūsuru to gōriteki ni mitomerareru han'i o koete okonatte wa naranai).

This constraint is narrower than GDPR's compatibility test under Article 6(4). The APPI requires an appreciable link (関連性, kanrensei)—a reasonable relationship—between the original purpose and the changed purpose, assessed at the time of the alteration. The PPC's General Rules Guidelines state that the appreciable-link test is met when a reasonable data subject, aware of the original purpose, would find the new purpose to be a natural extension or reasonable variation of the original.

For example:

• Original purpose: "Processing payroll for your employment."

Changed purpose: "Administering statutory health insurance and pension contributions for your employment." Result: The changed purpose bears an appreciable link to the original (both serve the employment relationship and involve mandatory employer obligations). The business may change the purpose under Article 17(2) without obtaining consent, provided it notifies the data subject of the changed purpose in accordance with Article 21 or publicly discloses the changed purpose.

• Original purpose: "Fulfilling your product order."

Changed purpose: "Conducting customer-satisfaction surveys to improve our product offerings." Result: This is a marginal case. The PPC has not issued formal guidance on whether post-sale customer surveys bear an appreciable link to order fulfillment. The conservative compliance position is that the changed purpose does not bear an appreciable link (the original purpose was transactional; the new purpose is analytical and prospective), so the business should either (a) specify both purposes at the point of acquisition ("We use your information to fulfill your order and to conduct customer-satisfaction surveys"), or (b) obtain consent under Article 18(1) before using the customer's contact information for surveys.

• Original purpose: "Fulfilling your product order."

Changed purpose: "Providing personalized marketing for unrelated products and services offered by our affiliates." Result: The changed purpose does not bear an appreciable link to the original. Marketing is a fundamentally different purpose from order fulfillment. The business must obtain consent under Article 18(1) or specify the marketing purpose separately at the point of acquisition.

The practical takeaway for contract-based processing is that a business should specify the contractual purpose broadly enough to cover reasonably foreseeable processing activities necessary to perform the contract, while remaining concrete and transparent. A purpose statement such as "managing our contractual relationship with you, including performing our obligations under the contract, exercising our rights, and complying with applicable laws" is typically specific enough to satisfy Article 17(1) while covering the operational processing activities the contract entails.

Contrast with GDPR Article 6(1)(b): structural and practical differences

A cross-border compliance professional should note four key divergences between the APPI's purpose-specification framework and GDPR's contract-necessity basis:

1. No explicit "necessity" standard tied to contract performance. GDPR Article 6(1)(b) requires that processing be "necessary for the performance of a contract." The European Data Protection Board (EDPB) has interpreted "necessary" strictly: the processing must be objectively indispensable to perform the contract, not merely useful or commercially advantageous (see EDPB Guidelines 2/2019 on Article 6(1)(b)). The APPI's Article 18(1) "necessary scope" standard is more flexible: it asks whether the processing is reasonably required to achieve the specified purpose, not whether the contract would fail without it. For multinational organizations, the safer approach is to apply the stricter GDPR necessity standard globally and treat any processing that satisfies GDPR Article 6(1)(b) as also satisfying the APPI's Article 17 + 18 framework.

1. Purpose specification is mandatory; the lawful basis is implicit. GDPR requires the controller to identify the lawful basis before processing and to inform the data subject of that basis (Article 13(1)(c) and 14(1)(c)). The APPI requires the business to specify the purpose and to notify or disclose it, but the statute does not require the business to label the processing as "contract-based" or "consent-based." The lawfulness of the processing is determined functionally: if the processing stays within the specified purpose, it is lawful; if it exceeds that purpose, consent is required.

1. Consent under APPI Article 18(1) is narrower than GDPR's "consent as a lawful basis." GDPR Article 6(1)(a) permits a controller to rely on consent as the lawful basis for processing, and consent obtained under GDPR must meet the Article 4(11) and Article 7 requirements (freely given, specific, informed, unambiguous, withdrawable). The APPI's Article 18(1) consent requirement applies only when processing exceeds the specified purpose; it is not a standalone lawful basis for processing within the purpose. As a result, when a business processes personal information for the purpose specified at acquisition (e.g., performing an employment contract), the APPI does not require the business to obtain consent, even if GDPR would permit the controller to choose between Article 6(1)(b) (contract) and Article 6(1)(a) (consent) as alternative bases.

1. No pre-contractual processing carve-out with independent scope. GDPR Article 6(1)(b) expressly covers processing "necessary … in order to take steps at the request of the data subject prior to entering into a contract." The APPI does not provide a parallel provision. Instead, businesses must specify the pre-contractual purpose under Article 17(1)—for example, "evaluating your application for employment," "processing your service inquiry," or "preparing a quotation for the requested services"—and notify the data subject of that purpose at the point of acquisition. Processing that is necessary to achieve that pre-contractual purpose then proceeds under Article 18(1) without requiring separate consent, provided the processing stays within the necessary scope. In practice, the outcome is similar to GDPR Article 6(1)(b) pre-contractual processing, but the APPI frames it as a purpose-specification obligation rather than a distinct lawful-basis category.

Best-practice guidance for multinational organizations

For organizations subject to both GDPR and APPI, the recommended compliance approach is:

• Specify the contractual purpose concretely at the point of acquisition. Draft privacy notices and consent forms (where used) to state the processing purpose in terms tied to the contract: "We collect and use your personal information to perform our obligations under the [employment agreement / sales contract / service agreement], including [enumerate key activities]."

• Apply the stricter GDPR necessity standard when determining scope. If a processing activity is "necessary for the performance of a contract" under GDPR Article 6(1)(b), it will likewise fall within the "necessary scope" under APPI Article 18(1). If GDPR would require consent (because the processing is not strictly necessary for contract performance), obtain consent under both regimes.

• Maintain records of purpose-specification and consent. The APPI does not mandate a specific form of documentation, but the PPC's enforcement posture requires businesses to demonstrate that they specified the purpose, notified or disclosed it, and obtained consent when required. Maintain records of privacy notices provided at the point of acquisition, consent forms (if used), and the business logic tying each processing activity to the specified purpose.

• Monitor for purpose creep. When adding new processing activities to an existing contractual relationship (e.g., deploying a new HR analytics tool for employee data, introducing a customer-loyalty program for purchase data), conduct a purpose-limitation analysis: Does the new activity fall within the originally specified purpose? If not, does it bear an appreciable link under Article 17(2)? If neither, obtain consent under Article 18(1) or specify the new purpose separately and notify the data subject.

Article 18(3) exceptions: when consent is not required even for processing beyond the specified purpose

Article 18(3) APPI enumerates six narrow exceptions permitting businesses to process personal information beyond the specified purpose without obtaining consent: (i) cases based on laws and regulations; (ii) cases necessary to protect life, body, or property when obtaining consent is difficult; (iii) cases particularly necessary for public health or child welfare when obtaining consent is difficult; (iv) cases involving cooperation with government authorities when obtaining consent would impede statutory duties; (v) cases where the business is an academic research institution processing for academic research purposes; and (vi) cases where the personal information has been made public by the data subject or a government authority.

These exceptions are strictly construed and rarely apply to routine contractual processing. The most common exception invoked in the employment and vendor contexts is Article 18(3) item (i)—legal obligation—when the business is required by statute to process personal information for a purpose beyond the originally specified contractual purpose (e.g., a tax-reporting obligation under the National Tax Act, a labor-standards reporting obligation under the Industrial Safety and Health Act, a financial-crime reporting obligation under the Act on Prevention of Transfer of Criminal Proceeds).

Businesses should document the specific statutory provision that imposes the legal obligation and should treat the exception as narrow: if the processing serves both a statutory obligation and a discretionary business purpose, the business should obtain consent for the discretionary component.

Conclusion: contract performance as purpose-based processing under the APPI

The APPI does not provide a standalone "contract necessity" lawful basis. Instead, processing necessary to perform a contract with the data subject is lawful under the purpose-specification and use-limitation framework established by Articles 17 and 18. Businesses specify the contractual purpose at the point of acquisition, process personal information within the scope necessary to achieve that purpose, and obtain consent only when processing exceeds that scope or when the statutory exceptions do not apply. For multinational organizations, the safest compliance approach is to apply the stricter GDPR Article 6(1)(b) necessity standard globally, specify contractual purposes concretely in privacy notices, and document the purpose-limitation analysis for each processing activity.

Source: Act on the Protection of Personal Information, Act No. 57 of 2003 (as amended through Act No. 37 of 2021), Articles 17 and 18 Source: Personal Information Protection Commission, APPI English translation (June 2020)

The Act on the Protection of Personal Information (APPI, Act No. 57 of 2003, as amended) does not contain a specific age threshold for children's consent akin to the GDPR Article 8(1) rule that processing of children's personal data based on consent is lawful only if the child is at least 16 years old (or such lower age, not below 13, as member states may provide). Instead, the APPI applies Japan's general Civil Code framework governing minors' legal capacity to consent, overlaid with regulatory guidance from the Personal Information Protection Commission (PPC) that addresses the intersection of capacity and consent in the data-protection context.

This creates uncertainty for businesses targeting children in Japan—particularly operators of online services, gaming platforms, educational technology, and social media—because the APPI does not specify a categorical age at which parental consent is required, leaving the determination to a fact-intensive assessment of whether the individual minor possesses the capacity to understand the consequences of the consent.

Civil Code Article 5: Parental consent required for juridical acts by minors

Under Japan's Civil Code (Act No. 89 of 1896, as amended), Article 5(1) provides: "A minor must obtain the consent of the minor's legal representative to perform a juridical act; provided, however, that this does not apply to a juridical act for merely acquiring a right or being released from an obligation."

The Civil Code defines "minor" in Article 4 as an individual under 20 years of age. (Note: Japan lowered the age of majority from 20 to 18 effective April 1, 2022, under Act No. 59 of 2018, but the APPI enforcement instruments and PPC guidance have not been comprehensively updated to reflect this change as of 2026, and businesses should verify the operative definition for each statutory obligation.)

Article 5(1) establishes the baseline rule that minors lack capacity to perform juridical acts without the consent of a person with parental authority (親権者, shinkensha) or a legal guardian. A "juridical act" (hōritsu kōi) under Japanese civil law encompasses contracts, unilateral declarations, and other manifestations of intent that produce legal consequences. The proviso carves out acts that confer only benefits on the minor (e.g., accepting a gift with no conditions).

Civil Code Article 5(2) permits a minor to rescind (取り消す, torikesu) a juridical act performed without the required parental consent. This rescission right runs to the benefit of the minor or the legal representative and operates to void the act retroactively.

APPI consent as a "juridical act" requiring parental involvement

The APPI does not define consent (同意, dōi), leaving the term to be interpreted within the broader Japanese legal framework. Because APPI consent under Articles 18, 20, and 28 produces legal consequences—it authorizes the business to process personal information beyond the specified purpose, to acquire sensitive personal information, or to transfer personal data to a third party in a foreign country—PPC regulatory guidance treats consent as a juridical act within the meaning of Civil Code Article 5.

The PPC General Rules Guidelines (通則ガイドライン, Sōsoku Gaidorain, Notice of the Personal Information Protection Commission) state that "if minor principals under the age of 18 are not capable of understanding the consequences of consent, the consent of a statutory representative (parent or guardian) must be obtained where the principal's consent is required under the APPI."

This guidance establishes two critical principles:

1. The operative age threshold is 18, not 20. Although the Civil Code historically defined "minor" as under 20, the PPC has adopted 18 years as the reference point for assessing capacity in the APPI context. This aligns with Japan's 2022 lowering of the age of majority to 18 for most civil-law purposes, and with international norms (GDPR Article 8's default 16-year threshold, the U.S. Children's Online Privacy Protection Act (COPPA) 13-year bright line, and the Brazilian LGPD Article 14 requirement of parental consent for processing children's data, with children defined by reference to the Estatuto da Criança e do Adolescente as under 18).

1. Capacity is assessed on a case-by-case basis. The PPC guidance does not create a categorical rule that all minors under 18 lack capacity to consent. Instead, it requires businesses to evaluate whether the individual minor is "capable of understanding the consequences of consent" in light of the complexity of the processing, the sensitivity of the data, and the risks to the minor. If the business determines that the minor lacks such understanding, parental consent is mandatory.

No statutory safe harbor; fact-intensive capacity determination

Unlike GDPR Article 8, which provides a bright-line rule (member states may set an age between 13 and 16, and parental consent is categorically required below that threshold), the APPI framework leaves businesses with a fact-intensive determination and no statutory safe harbor. The PPC has not published detailed criteria for assessing whether a minor "is capable of understanding the consequences of consent," nor has it issued sector-specific guidance (comparable to the UK Information Commissioner's Office Age Appropriate Design Code) prescribing age-appropriate consent mechanisms.

In practice, businesses operating in Japan often adopt one of three approaches:

• Conservative age-gating at 18. Require parental consent for all users under 18, treating the PPC's reference to "minors under the age of 18" as establishing a de facto bright line. This approach avoids the risk of a PPC finding that the business failed to obtain parental consent for a minor who lacked capacity, but imposes operational burdens (verifiable parental-consent mechanisms, age verification) and may reduce user acquisition in the under-18 demographic.

• Contextual capacity assessment. Evaluate the processing activity and the data type, and require parental consent only for high-risk or complex processing (e.g., acquisition of sensitive personal information under Article 20, cross-border transfers under Article 28, or behavioral profiling for targeted advertising). This approach aligns with the PPC's capacity-based standard but creates documentation and compliance risk if the business's capacity assessment is later challenged.

• Sectoral bright lines. Follow age thresholds prescribed by sector-specific laws or guidelines. For example, the Guidelines for the Protection of Personal Information in the Financial Sector (issued jointly by the PPC and the Financial Services Agency) specify that financial institutions must obtain written consent (including electronic or magnetic records) when processing personal information of minors, and that parental consent is required for minors under 18 in most circumstances.

Article 37(3) APPI: Legal representatives may exercise data-subject rights on behalf of minors

Article 37(3) APPI (formerly Article 29(3) in pre-2022 numbering) provides: "The statutory representative of a minor or of an adult ward may make a request for disclosure or other handling on behalf of the identifiable person."

The Cabinet Order for Enforcement of the APPI, Article 8(i), cross-references this provision and specifies that "the statutory agent of a minor or of an adult ward" may request disclosure, correction, deletion, cessation of use, or cessation of third-party provision under Articles 33–35 APPI on behalf of the data subject.

This provision addresses exercise of data-subject rights, not the initial consent to processing. It confirms that parents and guardians retain authority to act on behalf of minors (and adult wards, seijin hiko kenninsha, individuals subject to adult guardianship due to mental incapacity) to enforce APPI rights, but it does not establish an independent parental-consent obligation for processing. The parental-consent requirement flows from the Civil Code Article 5 capacity framework as interpreted by PPC guidance, not from Article 37(3) itself.

Proposed 2026 amendments: Statutory children's-data protections for minors under 16

As of June 2026, the Japanese Diet is considering a Bill to Amend the APPI (approved by the Cabinet on April 7, 2026, and submitted to the Diet) that would introduce Japan's first statutory protections specific to children's personal data. The Bill proposes:

• Defining "children" as individuals under 16 years of age for purposes of enhanced data-protection obligations (aligning with GDPR Article 8's default threshold);
• Requiring businesses to obtain parental consent before processing children's personal information, with exceptions mirroring the Article 18 and Article 20 statutory exceptions (legal obligation, vital interests, public health, cooperation with government organs);
• Granting children (or their legal representatives) enhanced rights to request deletion or cessation of use of their personal data, with a relaxed standard (businesses must comply unless cessation would impose a disproportionate burden).

The Bill also proposes a separate category of "specific biometric personal information" (特定生体情報, tokutei seitai jōhō) covering facial recognition, fingerprint, iris, and voice-pattern data, with heightened transparency requirements and a prohibition on third-party provision via the opt-out mechanism under Article 27(2).

If enacted, the children's-data amendments would come into force approximately two years after enactment (estimated 2027–2028 based on the legislative calendar and the PPC's need to issue implementing regulations). Businesses handling children's data in Japan should monitor the Diet's progress and begin designing age-verification and parental-consent mechanisms in anticipation of the new regime.

Cross-border context: Comparison to GDPR Article 8 and COPPA

A privacy professional familiar with GDPR will note four key differences between the APPI's current approach and GDPR Article 8:

1. No bright-line age threshold. GDPR Article 8(1) establishes 16 as the default age of consent (with member-state flexibility to lower it to no less than 13); the APPI relies on Civil Code capacity principles and PPC guidance referencing 18, but with a case-by-case capacity assessment.

1. No "reasonable efforts to verify" parental consent. GDPR Article 8(2) requires controllers to "make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology." The APPI contains no parallel statutory obligation, though businesses relying on parental consent under Civil Code Article 5 must be able to demonstrate that consent was obtained (a general evidentiary obligation under PPC enforcement practice).

1. Parental consent applies across all processing, not just information-society services. GDPR Article 8 applies only to "the offer of information society services directly to a child"; the APPI's Civil Code-derived parental-consent requirement applies to any juridical act by a minor lacking capacity, meaning it governs consent for processing in offline contexts (e.g., a minor enrolling in a sports club and consenting to processing of health data) as well as online.

1. No statutory carve-out for preventive or counseling services. GDPR Article 8(1) does not require parental consent for "preventive or counseling services offered directly to a child"; the APPI framework does not create a comparable exception, though businesses may argue that the Civil Code Article 5(1) proviso (acts conferring only benefits) or the Article 18/20 vital-interests exception applies in health or welfare contexts.

For organizations operating in both the EU and Japan, the safest compliance approach is to require verifiable parental consent for all users under 16 (the GDPR floor, and the proposed APPI threshold under the 2026 Bill) and to treat the current PPC guidance as requiring parental consent for minors under 18 who lack capacity to understand the consequences. This avoids the risk of underestimating age thresholds in either regime.

Enforcement practice and practical guidance

The PPC has not published enforcement actions specifically addressing failures to obtain parental consent for minors' data processing, in part because the APPI's children's-data rules are nascent and the capacity-based standard creates ambiguity. However, the PPC's General Rules Guidelines Q&A (published in Japanese on the PPC website) clarify that businesses should:

• Document the capacity assessment. If the business concludes that a minor user possesses capacity to consent, it should maintain a record of the basis for that determination (e.g., the user's age, the simplicity and low risk of the processing, the clarity of the consent disclosure).

• Implement age-verification mechanisms where feasible. While the APPI does not mandate age verification, businesses that claim reliance on minor consent should be able to demonstrate that they took steps to ascertain the user's age and, if below the threshold of presumed capacity, either obtained parental consent or declined to process.

• Provide child-friendly disclosures. When seeking consent from minors who are assessed as having capacity, the consent disclosure should be written in plain language appropriate to the minor's age and comprehension level. The PPC has indicated (in Q&A responses) that consent obtained through lengthy, legalistic privacy policies that a minor cannot reasonably understand is not valid under the voluntary, specific, and informed standard articulated in the General Rules Guidelines.

The intersection of Civil Code capacity rules and APPI consent obligations remains an area of legal uncertainty in Japan, and businesses handling children's data should consult Japanese legal counsel and monitor PPC guidance updates as the 2026 legislative amendments progress through the Diet.

Source: Act on the Protection of Personal Information, Act No. 57 of 2003 (as amended through Act No. 37 of 2021), Article 37 Source: Civil Code, Act No. 89 of 1896 (as amended), Articles 4 and 5 Source: Order for Enforcement of the Act on the Protection of Personal Information, Cabinet Order No. 507 of 2003 (as amended through Cabinet Order No. 166 of 2008), Article 8